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Abstract 


Defending  Department  of  Defense  networks  is  a  complex  endeavor.  Our  current  method  of 
defending  networks  starts  with  topdown  rules,  policies  and  regulations.  These  rules  and  regula¬ 
tions  are  complex  and  in  many  cases  may  be  redundant  or  contradicted  to  meet  an  urgent  opera¬ 
tional  requirement.  Additionally  the  requirements  contained  in  these  policies  are  not  always 
funded.  This  paper  will  examine  if  edge  organizational  techniques  and  Edge  Theory  could  be 
applied  to  cyber  security  organizations  to  improve  the  defense  of  DoD  networks. 


Introduction 


Defending  Department  of  Defense  networks  is  a  complex  endeavor  with  an  extensive  amount 
of  topdown  rules,  policies  and  regulations.  These  rules  and  regulations  are  complex  and  in  many 
cases  may  be  redundant  or  contradicted  to  meet  an  urgent  operational  requirement.  In  some  cases 
new  rules  are  created  across  the  enterprise  in  response  to  a  specific  event  at  one  part  of  the  or¬ 
ganization  (i.e.  Wiki  leaks)  without  much  thought  to  the  impact  on  the  entire  organization.  Addi¬ 
tionally  the  requirements  contained  in  these  policies  are  not  always  funded.  DoD  networks  could 
be  better  defended  by  organizing  as  an  edge  organization.  This  paper  will  introduce  this  concept 
and  start  the  discussion  to  examine  if  edge  organizational  techniques  and  edge  theory  could  be 
applied  to  cyber  security  organizations  to  improve  the  defense  of  DoD  networks. 

Edge  Theory 

In  order  to  understand  why  an  Edge  organization  will  improve  the  perfonnance  of  a  cyber 
security  organization  we  must  have  a  common  definition  of  an  Edge  organization  and  understand 
the  characteristics  of  an  Edge  organization.  Alberts  defines  an  Edge  organization  as  “Edge  or¬ 
ganizations  are  organizations  where  everyone  is  empowered  by  information  and  has  the  freedom 
to  do  what  makes  sense”  [1].  Members  in  an  Edge  organization  members  are  empowered  to 
share  information  and  most  relationships  are  of  a  peer-to-peer  nature.  This  eliminates  the  distinc¬ 
tion  between  line  and  support  personnel  as  well  as  the  associated  stovepipes  of  that  artificial  di¬ 
vision.  By  flattening  an  organization  the  requirement  for  the  “middle”  part  of  an  organization 
that  relays  communications  within  that  organization  is  greatly  reduced.  This  reduction  of  the 
“middle”  and  stovepipes  removes  “barriers  to  information  sharing  and  collaboration”  within  that 
organization  and  between  the  components  of  that  organization  [1], 

Current  Top  Down  Structure 

Under  our  current  cyber  structure  senior  leadership  develops  high  level  and  detailed  policy 
guidance  along  with  extensive  reporting  requirements.  The  DoD  Infonnation  Assurance  Tech¬ 
nology  Analysis  Center  has  a  chart  (Figure  1)  that  displays  all  of  the  guidance  required  to  “Build 
and  Operate  a  Trusted  GIG”  [2]. 


Figure  1  (IATC  2011) 


In  addition  to  this  high  level  and  detailed  DoD  guidance  there  is  an  abundance  of  similar 
guidance  at  the  service  and  operational  level.  In  many  cases  the  operational  guidance  is  a  copy  of 
the  high  level  guidance.  Although  the  chart  depicts  the  policy  and  divides  them  up  into  function¬ 
al  areas  there  is  no  mapping  of  policy  relationships.  For  example  the  DoD  Information  Assur¬ 
ance  Certification  and  Accreditation  Process  (DIACAP)  policy  does  not  map  to  the  prevention 
and  delaying  attacks  guidance  so  the  people  actually  defending  the  networks  and  information 
systems  may  not  have  any  visibility  into  the  certification  packages,  which  describe  how  systems 
are  secured  and  associated  risks,  of  the  systems  they  are  defending. 


This  centralized  planning  model  does  not  lend  itself  to  quick  and  agile  defense  of  cyber  as¬ 
sets.  For  successful  centralized  planning  the  central  leadership  must  be  able  to  “make  sense  of 
the  situation,  maintain  this  understanding  in  the  face  of  a  dynamic  environment,  predict  the  fu¬ 
ture,  develop  an  appropriate  response  strategy,  decompose  the  response  into  a  coherent  set  of  ex¬ 
ecutable  tasks,  allocate  resources,  task  subordinates,  monitor  execution,  and  make  adjustments  as 
required,  all  in  a  timely  manner”  [1]. 


With  the  complexity  of  even  one  information  system  that  has  thousands,  if  not  millions  lines 
of  code  and  a  multitude  of  possible  configurations  a  centralized  organization  can’t  possibly 
maintain  control  and  understand  the  diverse  configurations  of  these  systems.  The  complexity  of 
the  systems  and  multitude  of  attack  vectors  (email,  malicious  websites,  brute  force,  social  engi¬ 
neering,  phishing,  malicious  insiders)  inhibit  the  effectiveness  of  a  centralized  planning  model. 
With  the  large  scale  number  of  attacks  on  DoD  networks  “The  Pentagon's  top  information- 


security  official,  Robert  Lentz,  said  the  Defense  Department  detected  360  million  attempts  to 
penetrate  its  networks  last  year,  up  from  six  million  in  2006“  [3], 

With  such  a  high  number  of  attacks  how  can  a  hierarchical  and  centralized  organization  man¬ 
age  the  response  to  so  many  attempted  attacks?  “Cyberwarfare  is  like  maneuver  warfare,  in  that 
speed  and  agility  matter  most’ ’[4].  By  moving  to  an  edge  cyber  security  organization  and  allow¬ 
ing  action  at  the  edge  make  it  easier  to  defend  and  respond  to  cyber  attacks. 


The  Fog  of  War  in  Cyber  Warfare 

Information  overload  is  one  of  the  major  factors  for  “fog  of  war”  in  cyber  warfare.  If  every 
organization  followed  the  current  rules  they  would  conduct  recurring  vulnerability  scans  and  this 
data  would  be  fed  into  different  databases  so  the  chain  of  command  would  have  a  list  of  1000’s 
of  vulnerabilities  but  does  this  enhance  the  overall  security  of  the  scanned  systems  if  the  owners 
don’t  have  the  tools  or  manpower  to  resolve  those  vulnerabilities?  With  the  amount  and  com¬ 
plexity  of  this  data  there  is  no  way  for  a  centralized  organization  make  sense  of  this.  This  is  ana¬ 
logous  to  telling  Platoon  commander  to  defend  a  street  block  but  instead  of  letting  him  deploy 
his  troops  he  would  first  have  to  scan  the  block  for  vulnerabilities  on  a  checklist  and  submit 
those  vulnerabilities  to  higher  HQ.  Many  of  the  vulnerabilities  on  the  checklist  might  not  be  ap¬ 
plicable  to  the  current  situation,  higher  headquarters  would  asses  the  listed  vulnerabilities  them 
and  tell  the  Platoon  Commander  which  ones  to  fix.  As  this  data  makes  its  way  up  the  chain  of 
command  the  enemy  disposition  is  constantly  changing  and  by  the  time  a  response  is  received 
from  upper  echelon  it  may  be  too  late  to  defend  the  block.  Instead  of  doing  this  the  Anny  devel¬ 
ops  tactics,  techniques  and  procedures  (TTPs)  for  the  Platoon  Commander  to  utilize  that  can  be 
modified  based  on  the  local  situation. 

The  attacker  has  the  advantage  in  cyber  warfare,  the  attacker  only  needs  to  know  one  vulne¬ 
rability  to  gain  access  to  a  system  while  the  defender  must  monitor  all  vulnerabilities.  This  ad¬ 
vantage  is  increased  when  a  defender  operates  in  a  hierarchical  organization  and  must  wait  for 
top  down  direction  to  take  action.  Local  units  defending  their  own  networks  would  have  a  small¬ 
er  footprint  and  less  data  to  monitor  making  it  easier  to  detect  attacks. 

Cyber  Warfare  Command  and  Control 

Even  in  an  edge  organization  leadership  must  be  involved  in  setting  overall  guidance  and 
have  situational  awareness  to  the  overall  health  of  their  systems.  Under  current  vulnerability  sys¬ 
tem  the  status  individual  systems  are  reported  up  the  chain  of  command.  A  commander  doesn’t 
need  to  know  the  exact  status  of  each  system,  rather  he  needs  to  know  the  impact  of  those  vulne¬ 
rabilities.  In  an  edge  organization  the  commander  would  establish  high  level  goals  and  require¬ 
ments.  A  good  example  of  establishing  high  level  guidance  is  the  “Ten  Things  Every  Ainnan 


Must  Know  in  the  United  States  Air  Force  Doctrine  Document  3-12  of  15  July  2010  “Cyber¬ 
space  Operations”: 

1 .  The  United  States  is  vulnerable  to  cyberspace  attacks  by  relentless  adversaries  attempt  ing  to 
infiltrate  our  networks  at  work  and  at  home  -  millions  of  times  a  day,  24/7. 

2.  Our  enemies  plant  malicious  code,  worms,  botnets,  and  hooks  in  common  websites,  soft¬ 
ware,  and  hardware  such  as  thumbdrives,  printers,  etc. 

3.  Once  implanted,  this  code  begins  to  distort,  destroy,  and  manipulate  infonnation,  or 

— phonell  it  home.  Certain  code  allows  our  adversaries  to  obtain  higher  levels  of  credentials 
to  access  highly  sensitive  infonnation. 

4.  The  enemy  attacks  your  computers  at  work  and  at  home  knowing  you  communicate  with  the 
Air  Force  network  by  email,  or  transfer  infonnation  from  one  system  to  another. 

5.  As  cyber  wingmen,  you  have  a  critical  role  in  defending  your  networks,  your  information, 
your  security,  your  teammates,  and  your  country. 

6.  You  significantly  decrease  our  enemies’  access  to  our  networks,  critical  USAF  infonnation, 
and  even  your  personal  identity  by  taking  simple  action. 

7.  Do  not  open  attachments  or  click  on  links  unless  the  email  is  digitally  signed,  or  you  can  di¬ 
rectly  verify  the  source — even  if  it  appears  to  be  from  someone  you  know. 

8.  Do  not  connect  any  hardware  or  download  any  software  applications,  music,  or  infonnation 
onto  our  networks  without  approval 

9.  Encrypt  sensitive  but  unclassified  and/or  critical  information.  Ask  your  computer  systems 
administrator  (CSA)  for  more  information 

10.  Install  the  free  Department  of  Defense  anti-virus  software  on  your  home  computer.  Your 
CSA  can  provide  you  with  your  free  copy”  [5]. 

This  guidance  is  easy  too  understand  and  implement.  One  can  boil  down  the  current  policy  to 
some  similarly  simply  stated  goals  that  could  be  implemented  in  an  edge  Organization: 

1 .  Resilient  network  and  information  systemsBuild  resilience  at  local  level 

2.  Design  secure  systems  from  the  start 

3.  Secure  your  system  from  current  known  vulnerabilities  and  monitor  for  attacks  on  open  vul¬ 
nerabilities 

4.  Monitor  your  system 

5.  Correlate  attacks  to  known  vulnerabilities 

6.  Respond  to  attacks 

7.  Communicate  with  higher  headquarters 

(Author’s  interpretation  of  guidance  listed  on  IATC  2011  [2]) 

Creating  an  Edge  Cyber  Security  Organization 

In  order  to  become  an  edge  cyber  security  organization  we  should  consider  locations  as 
nodes  on  a  network  and  empower  those  nodes  to  defend  themselves  and  their  neighbors.  The 
tenn  neighbors  is  used  in  the  relationship  between  nodes  on  a  network  not  their  physical  loca¬ 
tion.  The  first  step  would  be  to  identify  the  policy  that  enhances  cyber  security,  for  example 
manning  requirements  to  defend  a  local  enclave.  The  next  step  can  be  done  by  providing  pre 
built  templates  like  the  current  Defense  Information  System  Agency  Gold  Disk  templates  for 


common  functions  and  let  them  develop  defense  for  their  unique  systems.  These  nodes  would 
also  need  visibility  into  their  local  network  traffic  and  tools  to  asses  their  local  vulnerabilities. 
There  are  already  a  variety  of  tools  in  use  by  the  DOD  that  can  accomplish  this.  They  would  also 
communicate  with  their  neighbors  and  gain  value  by  some  type  of  mutual  defense.  To  test  the 
effectiveness  of  an  edge  organization  a  test  enclave  could  be  established  that  is  empowered  to 
defend  their  own  network  and  communicate  directly  with  anyone  along  their  network  path.  Al¬ 
though  a  detailed  test  would  have  to  be  developed,  below  are  some  areas  that  could  be  measured 
to  see  the  effectiveness  of  an  edge  organization  [6]: 

Quality  of  organic  information 

-  Awareness  of  what  is  on  the  enclave 

-  Awareness  of  attacks  (successful  and  unsuccessful 

-  Awareness  of  vulnerabilities 

Quality  of  organic  Information 

Quality  of  Individual  Sense  making 

-  Do  the  operators  understand  what  is  on  their  network 

Quality  of  interactions 

Degree  of  shared  infonnation 

Extent:  Measure  flow  of  information  from  enclave  to  neighboring  enclaves,  CND  service 
providers,  and  higher  HQ.  This  could  be  measured  by:  exchange  of  correlating  IDS  alerts,  ex¬ 
change  of  vulnerability  alerts  and  status  of  connected  systems  (i.e.  Vulnerabilities,  accepted  risk) 
[6]. 

The  data  collected  from  this  test  could  be  compared  with  similar  data  from  other  enclaves  to 
see  if  there  was  an  improvement  in  overall  security 


In  many  cases  a  cyber  security  event  in  one  node  can  impact  another  node  or  have  a  broader 
impact  to  the  organization.  Systems  that  have  any  possibility  of  impacting  outside  of  a  node  or 
that  can  have  a  broader  impact  on  the  enterprise  would  have  to  be  identified  and  specific  report¬ 
ing  requirements  would  have  to  be  developed  to  notify  the  chain  of  command  with  appropriate 
time  reporting  requirements.  This  could  be  accomplished  in  many  ways  including  the  use  of  au¬ 
to-reporting  network  sensors.  Some  examples  of  automatic  external  reporting  requirements: 


-  Public  exposure  of  sensitive  or  classified  data 


-  Identification  of  self  replicating  wonn 

-  Insider  attack  from  one  node  to  another 


It  is  difficult  for  non  security  experts  to  understand  the  current  way  security  incidents  are 
handled.  To  better  illustrate  this  the  story  below  applies  the  methods  we  use  to  respond  to  com¬ 
puter  attacks  to  the  Navy  Medical  system. 

Applying  the  Current  Cyber  Defense  Workflow  to  the  Medical  System 

Seaman  Timmy  (compromised  computer)  assigned  to  a  ship  catches  the  flu.  The  Navy  Med¬ 
ical  Command  (Service  Computer  Emergency  Response  Team)in  Bethesda,  MD  sends  the 
corpsman  on  the  ship  an  alert  (intrusion  detection  alerts)  that  someone,  but  not  a  specific  person, 
is  sick  and  that  he  needs  to  be  isolated  immediately.  The  corpsman  must  search  the  ship  to  find 
the  sick  Sailor.  Once  found  the  corpsman  must  contact  the  medical  command  and  receive  guid¬ 
ance  on  how  to  aid  Seaman  Timmy.  If  the  corpsman  doesn’t  answer  all  questions  there  may  be 
additional  questions.  The  Medical  Commands  directive  to  isolate  Seaman  Timmy  may  endanger 
the  ship  since  Seaman  Timmy  is  the  helmsman,  steering  the  ship  while  at  sea,  (critical  system). 
Once  all  of  the  information  has  been  received  by  the  medical  command  they  will  tell  the 
corpsman  to  respond.  Lets  say  the  diagnose  is  a  bacterial  infection  the  medical  command  may 
prescribe  an  antibiotic.  Since  they  don’t  have  access  to  Seaman  Timmy’s  medical  record  (DI- 
AC  AP  package)  they  may  not  know  he  is  allergic  to  antibiotics  putting  him  at  risk. 

How  would  an  edge  organization  better  handle  the  response  to  a  computer  attack?  First  a  lo¬ 
cal  sensor  or  other  cueing  detects  compromised  host.  Local  network  defender  locates  system  and 
detennines  criticality  of  the  system.  Since  they  know  the  most  about  the  system  they  can  take  the 
best  steps  to  immediately  isolate  that  system  with  the  least  impact.  The  local  defenders  would 
also  know  the  system’s  relationship  and  possible  impact  to  connected  systems  and  could  alert 
adjacent  system  defenders  as  appropriate. 

Conclusion 

Defending  the  global  information  grid  against  attacks  from  Nation  States,  individual  hackers, 
organized  crime  and  malicious  insiders  is  a  complex  task  and  problem.  Solving  complex  prob¬ 
lems  requires  innovative  solutions  that  push  down  responsibility  and  empower  people  at  the  local 
level  to  defend  their  networks  and  systems.  Self  organized  groups  of  defenders  in  an  edge  organ¬ 
ization  offers  many  advantages  to  the  current  top  down  hierarchal  structure.  These  advantages 
include  quicker  response  to  network  attacks  by  empowering  individuals  at  the  unit  level,  resilient 
networks  by  improving  information  sharing  and  reducing  the  administrative  burden  by  removing 
redundant  policy  and  flattening  the  cyber  security  organization.  Higher  echelons  would  have  bet¬ 
ter  situational  awareness  because  they  could  focus  on  information  from  the  edge  that  has  been 
identified  as  critical  rather  that  sifting  through  huge  amounts  of  data  reports  without  context. 
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Centralized  planning  versus  agile  hackers 


Build  and  Operate  a  Trusted  GIG 
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1.1  Lend  and  Govern 
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4.1  Develop  and  Maintain  Trust... 
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2.3  A»*ure  Information  Sharing 
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Complex  Systems 

Configuration  options 

Locations  around  the  world  and  rapid 
deployments 

Limited  infrastructure  support 
Competing  interests  and  requirements 
*  Services,  mission  etc 
Procurement  cycle 


Emergent  Rules 


BRUCE 

liim/iip  l 


Edge  Theory 


Empowered  individuals 
Removal  of  collaboration  barriers 


Fog  of  War  in  Cyber 

Warfare 


Information  Overload 
Attacker  advantage 
Platoon  analogy 


How  would  it  work? 


Cyber  Warfare  C2 


#Keep  high  level  guidance  simple 

#“Ten  Things  Every  Airman  Must  Know” 

#“Do  not  open  attachments  or  click  on  links 
unless  the  email  is  digitally  signed,  or  you  can 
directly  verify  the  source — even  if  it  appears 
to  be  from  someone  you  know.” 

•  United  States  Air  Force  (USAF).  (2010).  Cyberspace  Operations 


United  States  Air  Force  (USAF).  (2010).  Cyberspace  Operations 


Keeping  It  Simple 

•Resilient  network  and  information  systems, 
build  resilience  at  local  level 

•Design  secure  systems  from  the  start 

•Secure  your  system  from  current  known 
vulnerabilities  and  monitor  for  attacks  on 
open  vulnerabilities 

•Monitor  your  system 

•Correlate  attacks  to  known  vulnerabilities 

•Respond  to  attacks 

•Communicate  with  higher  headquarters 


An  Edge  Like  Cyber  Security 
Organization  Organization 

Identify  policy  that  enhances  security,  dump 
the  rest 

Use  templates  like  Gold  Disk  and  encourage 
collaboration  and  sharing  of  these  (i.e.  same 
IT  requirements) 

Provide  local  network  visibility 

Treat  CND  service  providers  as  sensors  to 
support  local  enclaves 


Use  IA  Workforce 


Measuring  Success 


Quality  of  organic  information 
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Awareness  of  what  is  on  the  enclave 


Awareness  of  attacks 


Awareness  of  vulnerabilities 


Quality  of  Individual  Sense  Making 
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What  do  the  operators  know 


Quality  of  interactions 
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Degree  of  shared  information 


Cyber  Defense 
Workflow  Example 


Questions? 

csimpson4@mac. 


